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By 2022, API abuses will 
be the most frequent 
attack vector resulting in 
data breaches for 
enterprise web 
applications. 
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API Security 


1.What exactly are the security problems with APIs? 
2.What can be done about API security? 
3.Where should you start? 
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API Security 


oroblems with APIs? 


Gartner 


APIs Are Intended to Be Easy to Use 


= Commonly understood technologies: 

—JSON, web protocols, XML 
= Typically published in a developer portal: 

—... or used “under the hood” in a web or mobile framework 
= Emphasis is placed on “Quick time to Hello World” 
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Most organizations currently use APIs 


Currently use 
APIs, 73% 


Plan to implement 
APIs in the next 12 
months, 10% 


Currently 
implementing 
APIs, 17% 


Source: Gartner Survey “API Usage and its Role in Digital Platform Growth Report” 2018 
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APIs are often implemented to help with integration 
and data access but also digital business 


Top business goals or objectives organizations address with APIs (coded) 


Percent of respondents 
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Integration between various platforms/apps/systems 


11% 


Digital business/transformation/services 


10% 
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Data accessibility 
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Interchange Data/services with customer 
Legacy modernization 

New/ improved services/products 
Regulation (PSD2) 

Mobile applications 

Decoupling customer engagement systems 
Easier application assembly 

Increase revenue 

Platform strategy 

User experience 

Data monetization 

Other 
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Faster/easier connectivity 
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APIs are often implemented to help with 
integration and data access 


Business goal or objective organizations address with APIs (open-ended) 


APIs gives business more agility in their project, 
gives them the ability to get more value from the 
information that are no longer hidden in an 

application, but exposed with APIs. 


Improve integration between new and legacy 
applications. Standardize how business 
functionality exposed by APIs is governed, 
managed and consumed. 


Re-usable integration platform in 
support of a common information 
model. Ability to increase the reuse of 
integration points. Ability to incorporate 
business rules within the API 

transactions for data/record validation. 


Standardize processes for data access 
across teams and reuse where possible, 
manage through governance, monitor 

and manage response. 
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Internal APIs are widespread; less than a third plan 
to deploy public / externally exposed APIs 


Types of API’s organizations currently use/plan to use 


Percent of respondents 
vor: Ty A LU E 
Private APIs to connect with other businesses in your network or 57% 
support chain o 


APIs provided by third parties ooo l 44% 
Public/externally exposed APIs ooo dl 32% 


Other | 2% 
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Attackers Go After Targets That Are the Most 
Valuable 


Calls APIs 
= Data breaches The data and 
= Denial of Service applications 
= “Scraping” attacks are here 
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DevOps 


GitLab security update - API flaw could data leak 
have exposed private events 


By Joe Fay - October 2, 2018 


`] By Charlie Osborne for Zero Day | August 6, 2018 -- 08:14 GMT (01:14 PDT) | Topic: Security 


Instagram's leaky API exposed API Leaks Data for 


celebrities' contact details 


ting cloud services. 
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The top 3 challenges to organizational API strategy 
Percent of respondents 
m Rank 1 m Rank 2 = Rank 3 = SUM of Top 3 
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Security concerns 


Lack of skills 

Lack of API standards 

Missing key roles, such as API product manager 
Immature tooling 

Obtaining executive buy-in 
No digital program 


Other 


Gartner 


API Security 


2.What can be done about API security? 
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Follow These Three Steps 


1. Discover: Inventory APIs that have been delivered, or 
are in the development process. APIs consumed from 


third-parties should also be included. 


2. Monitor: Observe your API usage. Learn what “normal” 
is for API behavior. 


3. Secure: Create a policy to secure your APIs. 
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Designing an API Management and Security Policy 


= Think about: 
— How your APIs will be used (Mobile clients? Application-to-application traffic?) 
— Expected API usage patterns 
— Internal vs. external usage 
— Where API gateways can be placed (Cloud/On-premises/Both?) 
— Potential threats to your APIs 
— Authentication of both end users and API clients 
— Data security 


Il rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. G a rt n @ r. 


Web Application Firewalls (WAFs) and API Gateways 


VE 


WAF: Threat Protection API Gateway: API Access Control 

= DDoS protection = Transformation/Orchestration 

= Bot mitigation = Per-API authorization management 
= Attack signatures (OWASP) = Performance optimization (caching) 
= Whitelist management = Scope management — throttling 


= Anomaly detection 


API gateway is the application delivery controller for APIs. 
WAFs provide threat detection for public-facing web applications. 
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API Security 


3.Where should you start? 
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Your API Security Building Blocks 


Authentication of 
the API client 
(e.g., mobile app) 


Authentication of Quota management/ 
the end user traffic throttling 


Content validation Tokenization of 
Content inspection (JSON schema, sensitive information 
XML schema) (e.g., account No.) 


Automated attack/ Transport security Content encryption/ 
bot detection (TLS/SSL) decryption 


Store audit logs Signature validation API key management 


Token Issuance Fine-grained authorization Third-party identity provider (IdP) 
(OAuth 2.0, JWT Token) (e.g., on OAuth scopes) or social login 


Integration with XML/SOAP security ever inelnding 


access management (WS-security, etc.) 


security incident event 
management (SIEM) 


Source: “How to Build an Effective API Security Strategy” (G00342236) 
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Creating an Effective API Security Policy 
Fg 


Client 
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Source: “How to Build an Effective API Security Strategy” (G00342236) API 
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Recommendations 


v Start and maintain an inventory of your APIs: 
—Discover the APIs you have built 
—Also inventory the APIs you consume from others 
v Construct API security policies that include: 
—Authentication and authorization 
—Attack protection 


—Data security 
Gartner. 
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For information, please contact your Gartner representative G t 
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